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Data sharing can bring important benefits to organisations, citizens and 
consumers, making our lives easier and helping to deliver efficient 
services. It is important, however, that organisations who share personal 
data have high data protection standards, sharing data in ways that are 
fair, transparent and accountable. We also want controllers to be 
confident when dealing with data sharing matters so individuals can be 
confident their data has been shared securely and responsibly. 


As required by the Data Protection 2018, we are working on updating our 
data sharing code of practice, which was published in 2011. The updated 
code will explain and advise on changes to data protection legislation 
where these changes are relevant to data sharing. It will address many 
aspects of the new legislation including transparency, lawful bases for 
processing, the new accountability principle and the requirement to record 
processing activities. 


The updated data sharing code of practice will continue to provide 
practical guidance in relation to data sharing and will promote good 
practice in the sharing of personal data. In the first instance we will 
address the impact of the changes in data protection legislation on data 
sharing and will then move on to developing further case studies. Our 
intention is that, as well as legislative changes, the code will also deal 
with technical and other developments that have had an impact on data 
sharing since the publication of the last code in 2011. 


Before preparation of the code the Information Commissioner must 
consult with the Secretary of State. She is also seeking input from trade 
associations, data subjects and those representing the interests of data 
subjects. This call for views is the first stage of the consultation process. 
We will use the responses we receive to inform our work in developing the 
updated code. 


You can email your response to 


© 
CentralGovernment@ICO.org.uk 1C 0O. 


Information Commissioner's Office 


Or print and post to: 


Data Sharing Code Call for Evidence 
Central Government Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the call for evidence, please email 
the Central Government team. 


Please send us your views by 10 September 2018. 


Privacy statement 


For this call for evidence we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 
what we do with personal data please see our privacy notice. 


Questions 


Qi We intend to revise the code to address the impact of changes in 
data protection legislation, where these changes are relevant to 
data sharing. What changes to the data protection legislation do 
you think we should focus on when updating the code? 


All routine data sharing is covered by our privacy notice - this helps us to 
meet the obligation of transparent processing. It would be useful to know 

hether the fact that data sharing is transparent by inclusion in a privacy 
notice impacts whether a separate DSA is required. 
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Q2 Apart from recent changes to data protection legislation, are there 
other developments that are having an impact on your 
organisation’s data sharing practice that you would like us to 
address in the updated code? 


Yes 


No 


[IL 


Q3 If yes (please specify) 
N/A. 


Q4 Does the 2011 data sharing code of practice strike the right 
balance between recognising the benefits of sharing personal data 
and the need to protect it? Please give details. 


Yes 


No 
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Q5 If yes in what ways does it achieve this? 


he foreword provides details of such an assessment. The CPS considers 
his on a case by case basis where the data sharing is not part of our 
Statutory function and bears the 2011 guidance in mind when doing so. 


Q6 If no, in what ways does it fail to strike the right balance? 
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Q7 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are covered in too much detail in the 
2011 code? 


e do not consider that either type of data sharing is covered in too 
much detail. We welcome the fact that the code is largely concise and to 
he point. 


Q8 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are not covered in enough detail in 
the 2011 code? 


he types of data sharing outlined in the code could benefit from 
examples describing the scenarios in which different types of data sharing 
are likely to occur, and further clarity around some of the terms used 

ould be of use. Section 3 of the 2011 guidance talks about systematic 
haring, and how ‘established rules and procures’ or ‘routine agreement’ 
Should be in place for processing of this nature. However, in practical 
erms, what should we ensure is in place as a data controller? If each and 


every strand of processing should be covered off by a DSA, even where 
he sharing is required by statute, the work required to maintain these 
and ensure accuracy would be a huge challenge to maintain. 
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Q9 Is the 2011 code relevant to the types of data sharing your 
organisation is involved in? If not, which additional areas should 
we cover? 


he types of data sharing mentioned in the code are relevant to our 
organisation. As with the response to Q8 - a practical steer of what is 
expected would allow us to ensure we apply the guidance as it is 
intended. 


Q10 Please provide details of any case studies or data sharing scenarios 
that you would like to see included in the updated code? 


Case studies aorund when a DSA is required would be of use. The CPS 
ould always produce a DSA where ad-hoc data sharing takes place. 
However the task of maintaining agreements for all agencies with whom 
e share data in order to deliver our prosecutorial function would be an 
onerus one, and risk of them becoming out of date would inevitably be 
high. 
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Q11 Is there anything the 2011 code does not cover that you think it 
should? Please provide details. 


e would welcome guidance on the following areas: 


-Data sharing and sub-processors: Further guidance on this point 
particularly in the following scenario would be much appreciated - 


Are there any obligations on a data controller to account for data sharing 
between a processor and sub-processor within a data sharing agreement? 
he data controller discloses data to the processor, who then chooses to 
use a sub-processor to complete the data analysis, for example. What are 
he obligations of the data controller to ensure the sub-processor is DPA 
2018 compliant? Is if sufficient simply to set out that we expect them to, 
and the processor should be responsible for any detailed DSA that is 

deemed necessary? 


- Differences between MOUs and DSA’s: There appears to be little 
guidance on the differences between the two arrangements and it is 
unclear in what circumstances either would be appropriate. In fact, in a 
lot of cases the terms seem to be used interchangeably. Practical 
examples of when an MOU or DSA is most appropriate would be helpful. 


Q12 In what other ways do you think the 2011 code could be 
improved? 


If another section of the guidance is relevant to a specific topic, ad hoc 
Sharing for example, then references would be useful to allow us to swiftly 
onsider the relevant sections of the guidance. 
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Q13 Are you answering these questions as? 
A public sector worker 
A private sector worker 
A third or voluntary sector worker 
A member of the public 
A representative of a trade association 
A data subject 
An ICO employee 


Other 
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Q14 If other please specify: 


Q15 Please provide more information about the type of organisation 
you work for, ie a bank, a housing association, a school. 


Crown Prosecution Service. 


Q16 We may want to contact you about some of the points you have 
raised. If you are happy for us to do this please provide your email 
address: 


ee 


Thank you for taking the time to share your views and experience. 


